A unified Web UI for managing WireGuard peers, iptables port forwards, and Nginx reverse-proxy sites (with per-host access control) on a single Linux host. Sandbox-by-default — every module is opt-in for live changes, so you can try the whole stack on 127.0.0.1:8088 without touching the host.

v0.1.0 — first tagged release. Active development continues on the develop branch; releases are cut on main.

git clone https://github.com/krlex/wire-guard-manager.git WG-manager
cd WG-manager
cp .env.example .env       # optional for sandbox; required before exposing the UI off localhost
docker compose up -d --build
open http://127.0.0.1:8088    # sign in: admin / admin (change immediately)

For a real deploy that manages the host's WireGuard / nginx / iptables, see Host Deploy. Always smoke-test in the Vagrant rig first.

• Authentication — bcrypt + signed-cookie sessions, multi-user with per-user expiry, admin / user roles, change-password, rate-limited login.
• WireGuard — peer create / delete, enable / disable without delete, IP allocation from configurable subnet, X25519 keypairs in pure Python, .conf + QR code per-peer download, expiry, owner-scoped visibility for non-admin users, live wg show stats (last handshake, transfer ↓ ↑).
• Nginx — managed-directory model (only files with the # managed-by: wg-manager marker are read or rewritten), Public vs LAN-only sites with WGM_NGINX_ALLOW_CIDRS, one-click HTTPS via certbot certonly --webroot + auto-rendered 443 server block + 80→443 redirect.
• Firewall — DNAT + MASQUERADE port forwards tagged with wgmanager:<id> so we never disturb hand-written rules; persisted via iptables-save.
• Audit log — every action is recorded with the actor, surfaced on the Overview tab and exposed at /api/audit.
• Backup / restore — single .tar.gz covering wg0.conf, the managed nginx files, firewall.json, and the SQLite db.
• Sandbox vs live — three independent kill switches: WGM_WG_LIVE, WGM_NGINX_LIVE, WGM_FW_LIVE. All off by default.
• Host deploy — docker-compose.host.yml override with bind mounts, network_mode: host, pid: host, cap_add: NET_ADMIN, plus backend/Dockerfile.host carrying wireguard-tools, iptables, nginx, and certbot. Validated end-to-end against a Debian 12 Vagrant box.

The operator wiki lives in docs/:

• Getting Started — sandbox deploy and first sign-in.
• Configuration — every env var, sandbox vs live mode.
• Authentication — accounts, roles, password change.
• WireGuard, Nginx, Firewall.
• Backup & Restore.
• Host Deploy — switching from sandbox to live with the compose override + Vagrant smoke test.
• Troubleshooting.

WG-manager is licensed under the GNU General Public License v3.0. See LICENSE for the full text.

WireGuard is a registered trademark of Jason A. Donenfeld. WG-manager is not affiliated with, endorsed by, or sponsored by the WireGuard project. WG-manager does not bundle or distribute the wireguard-tools userspace, the WireGuard kernel module, or the WireGuard logo.

WG-manager builds on these open-source libraries:

• FastAPI (MIT)
• Starlette (BSD-3-Clause)
• Pydantic (MIT)
• bcrypt (Apache-2.0)
• cryptography (Apache-2.0 / BSD-3-Clause)
• segno (BSD-3-Clause)
• Vue 3 (MIT)
• Vite (MIT)